In recent years, more and more computing applications are being implemented in distributed environments. A given distributed application may, for example, utilize numerous physical and/or virtualized servers spread among several data centers of a provider network, and may serve customers in many different geographical locations. A large corporation or government entity may utilize the resources of one or more cloud infrastructure providers for many different applications, with at least some of the applications interacting with each other and with other applications being run on customer-owned premises. Many such applications may deal with highly confidential data, such as financial records, health-related records, intellectual property artifacts, and the like.
As evidenced by the increasing number of recent news reports regarding successful network-based attacks on various businesses, the need for better approaches towards preventing the theft or misuse of business-critical or confidential data continues to grow. Some existing techniques, such as the deployment of virus-scanning software on an enterprise's computer systems, or the enforcement of requirements for non-trivial passwords, address small partitions of the data security problem space. However, especially in environments in which complex applications are run in virtualization-based cloud environments, many application owners may be unaware of all the types of vulnerabilities that may apply to their applications. The virtualization approach, in which the users of a given service are typically not provided with details regarding the specific hardware/software devices being used on their behalf, and are typically not provided administrative privileges for those devices, may simplify the use of the service considerably from the perspective of the average user. However, from the perspective of the individuals responsible for information security at an enterprise that utilizes cloud-based infrastructure, virtualization environments may present significant challenges. In some cloud environments, the number of different inter-related services and corresponding physical and virtual resources deployed for a given set of customer applications may be so high that vulnerability analysis using existing point solutions may no longer suffice.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.